b'Audit Report\n\n\n\n\nOIG-09-011\nManagement Letter for Fiscal Year 2008 Audit of the\nFederal Financing Bank\xe2\x80\x99s Financial Statements\n\n\nNovember 21, 2008\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            November 21, 2008\n\n\n            MEMORANDUM FOR GARY BURNER, CHIEF FINANCIAL OFFICER\n                           FEDERAL FINANCING BANK\n\n            FROM:                 Michael Fitzgerald /s/\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2008 Audit of the\n                                  Federal Financing Bank\xe2\x80\x99s Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Federal Financing Bank\xe2\x80\x99s (FFB) Fiscal Year 2008 financial statements.\n            Under a contract monitored by the Office of Inspector General, KPMG LLP, an\n            independent certified public accounting firm, performed an audit of the financial\n            statements of FFB as of September 30, 2008, and for the year then ended. The\n            contract required that the audit be performed in accordance with generally\n            accepted government auditing standards; applicable provisions of Office of\n            Management and Budget Bulletin No. 07-04, Audit Requirements for Federal\n            Financial Statements; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and its operation that were identified during the audit but were\n            not required to be included in the audit reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\x0cPage 2\n\nShould you have any questions, please contact me at (202) 927-5789 or a member\nof your staff may contact Donna Joseph, Manager, Financial Audits, at\n(202) 927-5784.\n\nAttachment\n\ncc:   Kenneth Carfine\n      Vice President, FFB\n\n      Meredith Broome\n      Vice President and Treasurer, FFB\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nNovember 10, 2008\n\nInspector General, U.S. Department of the Treasury, and the Board of Directors, Federal Financing Bank:\n\nWe have audited the financial statements of the Federal Financing Bank (the Bank) for the year ended\nSeptember 30, 2008, and have issued our report thereon dated November 10, 2008. In planning and\nperforming our audit of the financial statements of the Bank, we considered internal control in order to\ndetermine our auditing procedures for the purpose of expressing our opinion on the financial statements,\nand not to provide assurance on internal control. We have not considered internal control since the date of\nour report.\n\nDuring our audit, we noted certain matters involving internal control and other operational matters that we\npresent for your consideration. These comments and recommendations are summarized in Exhibit I. They\nhave been discussed with the appropriate members of management, and are intended to improve internal\ncontrol or result in other operating efficiencies.\n\nWe also provide in Exhibit II the status of the comments and recommendations included in our letter\narising from the fiscal year 2007 audit.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements,\nand, therefore, may not bring to light all deficiencies in policies or procedures that may exist. We aim,\nhowever, to use our knowledge of the Bank gained during our work to make comments and suggestions\nthat we hope will be useful to you.\n\nThis report is intended solely for the information and use of the Bank\xe2\x80\x99s management, the U.S. Department\nof the Treasury\xe2\x80\x99s Office of Inspector General, the U.S. Government Accountability Office, the Office of\nManagement and Budget, and the U.S. Congress, and is not intended to be, and should not be, used by\nanyone other than these specified parties.\n\n\n\n\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0c                                                                                              Exhibit I\n\n                                  Federal Financing Bank \n\n                               Comments and Recommendations \n\n\n                                       September 30, 2008\n\n\n\n1.   System Development Methodology and Configuration Management Plan\n\n     The Bank has not developed and documented a formal system development life cycle (SDLC)\n     methodology or configuration management plan in accordance with the National Institute of\n     Standards and Technology (NIST) Special Publication (SP) SP 800-64, Security Considerations in\n     the Information System Development Life Cycle.\n\n     Recommendation\n     We recommend that the Bank continue its efforts in developing and documenting a system\n     development methodology and a configuration management plan. The system development\n     methodology should describe programming naming conventions, the system development phases\n     and what is to be performed in each, procedures for handling emergency programming changes,\n     application test procedures, development, test and production access control lists, etc., as\n     documented in NIST SP 800-64.\n\n     Management\xe2\x80\x99s Response\n     Management concurs with the finding and recommendation. Management indicated that a process\n     is currently under way to document a system development methodology as part of the overall\n     information technology system restructuring. The process should be completed in fiscal year 2009.\n\n     We did not audit management\xe2\x80\x99s response, and, accordingly, we express no opinion on it.\n\n2.   Outdated LMCS Oracle Database Management System\n\n     Oracle\xc2\xae ended support of the Loan Management and Control System (LMCS) Oracle Database\n     Management System in fiscal year 2006; however, the Bank has not upgraded the Oracle Database\n     Management System that supports LMCS to a current supported version.\n\n     Recommendation\n     We recommend that the Bank continue with plans to upgrade the LMCS Oracle database\n     management system to a current version of Oracle.\n\n     Management\xe2\x80\x99s Response\n     Management concurs with the finding and recommendation. Management indicated that an\n     upgrade to Oracle 9 is planned for fiscal year 2009.\n\n     We did not audit management\xe2\x80\x99s response, and, accordingly, we express no opinion on it.\n\n\n\n\n                                                   2                                                      \n\n\x0c                                                                                              Exhibit I\n\n                                  Federal Financing Bank \n\n                               Comments and Recommendations \n\n\n                                       September 30, 2008\n\n\n\n\n\n3.   Password Requirements\n\n     The Bank did not set the LMCS minimum password length to meet the requirement of eight (8)\n     characters outlined in the LMCS System Security Plan (SSP).\n\n     Recommendations\n\n     We recommend that the Bank configure LMCS to require users to use at least eight-character\n     passwords, in accordance with the LMCS SSP.\n\n     Management\xe2\x80\x99s Response\n     Management concurs with this finding and has revised password parameters to meet the\n     8-character requirement in the LMCS SSP in October 2008.\n\n     We did not audit management\xe2\x80\x99s response, and, accordingly, we express no opinion on it.\n\n\n\n\n                                                   3                                                      \n\n\x0c                                                                                          Exhibit II\n\n                                   Federal Financing Bank \n\n                           Status of Prior Year Recommendations \n\n\n                                      September 30, 2008 \n\n\n\n\n\n         Prior Year Recommendations                            Current Year Status\n\n1. System Security Plan                         This comment has been corrected.\n\n2. System Development Methodology and           This comment has not been corrected and is repeated\n   Configuration Management Plan                as comment 1 in the current year Management Letter.\n\n3. Outdated LMCS Oracle Database Management     This comment has not been corrected and is repeated\n   System                                       as comment 2 in the current year Management Letter.\n\n4. Password Requirements                        This comment has been partially corrected. We have\n                                                repeated the portion of the finding that has not been\n                                                corrected as comment 3 in the current year\n                                                Management Letter.\n\n5. LMCS Change Control Procedures               This comment has been corrected.\n\n\n\n\n                                                 4                                                      \n\n\x0c'